I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

that they'll be suspected if an attack is discovered. Are there ways to cut through such misattribution techniques, or does attack attribution even matter? Do you think attribution brings any value to the table?

Ask the expert!

For reasons related to law enforcement and politics, attribution does matter in certain attacks, though there is always the danger of misattributing an attack to an innocent party. For enterprises, there is minimal value in attributing the source of most malware or attacks unless they were targeted at an individual or clearly crafted to infiltrate a specific enterprise.

Still, there is some value to be had for attribution. For example, the efforts needed to attribute an attack can lead to a better understanding of an attacker's method, which could be useful in determining how to prevent similar attacks in the future. One way this could play out is by identifying common signatures based on the attack, especially if there are members of the information security community that have researched similar attacks. Some attack techniques are used widely, but depending on the attack, there might be unique techniques that could be shared to help identify particular attackers. If an enterprise is investigating multiple advanced attacks, attribution efforts could be used to identify the scope of the different attacks or identify if any of the attacks are related.

There might also be value in knowing what attackers are targeting a specific industry and the methods they tend to employ. Such knowledge could help identify additional controls that might be effective in blocking or detecting the attacks. If a particular group, such as China's 2nd Bureau of the People's Liberation Army from Mandiant's APT1 report, is targeting an industry, using the Mandiant indicators of compromise (which are based on attribution) might be useful for preventing future attacks from the source.

Though there are benefits to attack attribution, keep in mind that the time a security team spends tracking down the source of an attack is time not spent on mitigating other attacks, fine-tuning systems and so on. Unless your enterprise has significant resources available to devote toward in-depth attack analysis, there might be better uses for finite security resources.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy